VPC

Question 1

What does a VPC Consist of?

Answer 1

Internet gateway (or virtual private gateway)

Route Tables

NACLS

Subnets

& Security Groups

Know one subnet is always in one AZ

Question 2

NAT Gateways

Answer 2

Redundant inside the AZ

Starts @ 5GBPS & scales currently to 45 GBPS

No need to patch, AWS does this for you

Not associated with security groups

Automatically assigned a public IP

Question 3

High Availability w/ NAT Gateways

Popular Exam Question

Answer 3

If you have resources in multiple AZs & they share a NAT Gateway in the event the NAT Gateway’s AZ is down, resources in other AZs lose internet

To create an AZ independent architecture create a NAT Gateway in each AZ & configure your routing to ensure resources use the NAT Gateway in the same AZ

Question 4

Security Groups in VPC

Answer 4

Are Stateful

If you send a request from your instance the response traffic for that request is allowed to flow in regardless of inbound security group rules

Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules

Question 5

Default Network ACLs

Answer 5

Your VPC automatically comes w/ a default NACL & by default it allows all outbound & inbound traffic

Question 6

Custom NACLs

Answer 6

You can create custom NACLs.

by default, each custom NACL denies all inbound & outbound traffic until you add rules

Question 7

NACL Subnet Associations

Answer 7

Each subnet in your VPC must be associated w/ an NACL

If you don’t explicitly associate a subnet w/ a custom NACL, it will automatically associate w/ a default NACL

This means it will be a public subnet

Question 8

Blocked IPS w/ NACLs

Answer 8

Block IPs w/ NACLs not security groups

Question 9

NACL Basics

Answer 9

You can associate an NACL w/ multiple subnets; but a subnet can be associated w/ only 1 NACL @ a time

NACLs contain a numbered list of rules that are evaluated in order, lowest to highest #

NACLs have separate inbound & outbound rules, & each rule can either allow or deny traffic

NACLs are stateless; responses to allowed inbound traffic are subject to rules for outbound traffic (& vice versa)

Question 10

Direct Connect

Answer 10

Direct connect directly connects your data center to AWS]

Useful for high - throughput workloads (eg. Lots of network traffic)

Helpful when you need a stable reliable secure cxn

Question 11

VPC Endpoints

Answer 11

Use case: when you want to connect AWS services w/out leaving the AWS internal network

2 types of VPC endpoints - Interface & gateway endpoints

Gateway endpoints support S3 & Dynomo DB

Question 12

VPC Peering

Answer 12

Allows cxn of one VPC w/ another via a direct network route using private IPs

Instances behave as if they are on the same private network

You can peer VPCs w/ other AWS accounts as well as w/ other VPCs in the same account

Peering is in a star config (1 central VPC peers w/ 4 others) no transitive peering

You can peer between regions

Question 13

AWS Private Link

Answer 13

If you see a question about peering VPCs to 10’s, 100’s, or 1,000’s, of customer VPCs, think AWS Private Link

Doesn’t require VPC peering; no route tables, NAT Gateways, internet gateways, etc

Requires NLB on the service VPC & an EN1 on the customer VPC

Question 14

AWS Transit Gateway

Answer 14

Can use Route tables to limit how VPCs talk to one another

Works w/ direct connect as well as VPN cxns

Supports IP multicast (not supported by other AWS services)

If you see a question about simplifying network topology or talk of IP multicast think transit gateway

Question 15

VPN Hub

Answer 15

Essentially a site to site VPN to keep satellite sites talking

Questions on simplifying VPN networks - VPN Hub